Evolving Security in the Face of Cyber Attacks

Hacking and data breaches have become a painful reality for businesses of all sizes and from all industries. Attackers have perfected the art of finding the weak links in an organization, and exploiting them to infiltrate the organization and steal their most important assets.

Highly distributed organizations are often particularly susceptible to these attacks. Satellite offices, clinics, stores, and remote workers are all potentially security soft spots that an attacker can use to compromise the entire organization. And while there is no silver bullet, there are steps organizations can take to detect and prevent these threats and keep from becoming the next headline.

Getting Holistic on Security

No, this does not mean getting new age about security or having your network admins belt out a few kumbayas. However, it does mean that every part of an enterprise is critically related to the overall security of the organization as a whole. All of the pieces matter, and an infection in one part is likely to spread to the rest. A security strategy that builds a fortress of defenses around the corporate headquarters, while doing the bare minimum at remote offices directly plays directly into the hands of modern attackers.

Of course companies can’t buy one of every security product in the world and deploy them in every location. The point isn’t to replicate the corporate fortress everywhere, but rather to establish a security context that is shared across all locations. For example, security teams need to be automatically notified if a remote office has signs of malware infection, and is also making unusual requests to a database at corporate. Context is the key, and this context needs to span the entire organization.

Focus on Your Assets

Information security has traditionally been an exercise in keeping the bad guys out. Trusted areas are separated from untrusted areas, and the boundary is monitored for malicious agents like exploits and malware. These are still good goals, but it is readily evident that this alone is not sufficient. As organizations become more decentralized, there is simply too much perimeter, the perimeter too porous, and too much overlap of trust and distrust to be perfect at prevention.

To address this, organizations need to begin focusing internally and build processes that put key assets at the center of the security strategy. This means gaining a thorough understanding of where the key assets of the organization actually reside. How are they segmented from the outside world? How are they segmented from employees? Is the network flat where any employee can access any asset? If an employee were infected with malware, how would the attacker spread in order to get to critical assets?

With this information in mind, security teams need the ability to then detect threats and anomalies inside the corporate network and be able to see those threats in the context of key assets. This may require rethinking the approach to security, but it is an essential evolution. Hackers don’t break into networks because they hate the perimeter. They break in to steal assets, and our security architectures need to reflect that.

Get Behavioral

It may seem counterintuitive, but as hacks get more sophisticated, we often see fewer and fewer exploits or obvious malware. Once an individual user is compromised, the attacker will steal the victim’s credentials and continue the attack using the victim’s identity. This is particularly significant in the context of remote offices or distributed organizations. By the time an attacker migrates from a remote office to the central office, there very well may not be a smoking gun exploit to detect. The remote user is an unwitting zombie under the control of the attacker.

As a result, the focus must shift to recognizing a behavioral change on the part of the user or their device. Is the employee trying to access areas of the network that are unusual for that user? Are there signs the user is trying to login to new systems or requesting new services? Are there new applications or remote access behaviors that could indicate the presence of malware? These are just a few of many potential behavioral signals, but serve as an example of how security must adapt to how it sees malicious behavior.

These adaptations to security may seem foreign at first, but they are essential to aligning security practices with the realities of protecting an organization from modern cyber attacks. By establishing an enterprise-wide context focused on key assets and user behaviors, organizations can build a unified security framework that encompasses all locations and all of their assets.

Wade Williamson is Director of Product Marketing at Vectra Networks. Prior to joining Vectra, he was a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.